easpeagle

Yeah... piling on here... I've deployed some RL 9.4 systems that end up having this issue. Grub is reading the grub.cfg from down in /boot/efi/EFI/rocky/grub.cfg ... but the system is...

> > /etc/default/grub definitely shows "GRUB_ENABLE_BLSCFG=false" ... what's the right way to retrofit my system so that it works properly for BLS? > > try running `grub2-mkconfig --update-bls-cmdline -o /boot/grub2/grub.cfg`...

Full debug 2 logging output: ``` # "/root/.acme.sh"/acme.sh --debug 2 --cron --home "/root/.acme.sh" [Sun Apr 13 15:28:39 UTC 2025] Let's find the script directory. [Sun Apr 13 15:28:39 UTC 2025]...

Looks like this is the problem... in FIPS mode... openssl doesn't want to print out the key details that acme.sh is looking for to determine key type: Tested with creating...

Hmm... that worked to disable the default_sect ... but I still see these providers: ``` # openssl list -providers Providers: base name: OpenSSL Base Provider version: 3.2.2 status: active fips...

I just hacked the acme.sh binary to add `-provider fips` where needed on the openssl `ec` command lines. Seems like better detection of FIPS mode or a simple flag to...

Okay... yeah, that's helpful to know. Traefik definitely needs a feature that allows a user to configure certificate lifetime during the request similar to the acme.sh feature "valid-to" option. https://github.com/acmesh-official/acme.sh/wiki/Validity

Yeah... I'm hitting this exact same issue. It's not even trying to do anything on the network. This is bizarre.